Red Hat DIRECTORY SERVER 2.0 - GATEWAY Manual de usuario descargar pdf (Pagina 75)

Chapter 10. Access control

Two ways

There are two ways to do access control: by the location of the client and by the

identity of the user operating the client.

Client location

There is a brief discussion of why this mechanism is fraught with difﬁculties caused

by proxies and the like. Then the commands to implement it are covered.

User identity

There is a discussion of the Basic and Digest protocols for user identiﬁcation. Access

by user or group and user administration is then covered.

Mixed working

The mixed case of authorising passwordless access from within the institution but

requiring authentication from outside will be given in detail.

Blocked names

It is also possible to block a ﬁle from being downloaded at all based on its name.

Now we move to the topic of access control. There are fundamentally two ways of

doing this: by client location and client identity.

Client location involves specifying whether access is permitted based on the IP ad-

dress or hostname of the client (i.e. browsing) system. When a request is received by

the server the IP address of the client, browsing system is known. This address, or the

hostname associated with it, is checked against a set of rules to determine whether or

not the request should be honoured.

Proxy servers

Client location security is often used within the University for restricting

access to an institution or to the University, loosely deﬁned as “any-

thing in cam.ac.uk”. This approach doesn’t work but is often regarded

as “good enough” to keep happy the politicians, lawyers and other peo-

ple who don’t understand technology. From the point of view of the

web administrator it also has the advantage of simplicity. The reason

it doesn’t work is that web proxies can forward a request from outside

Cambridge on to a server within Cambridge which sees the request

coming from within Cabridge and honours it. The Computing Service

has had its internal minutes cached on Google for the whole world to

read after a web proxy on the CS staff network went unnoticed.

Client identity involves challenging the user to quote some means of identifying him

or herself before permitting access to the document requested. This has the advan-

tage of dealing with proxies, but the disadvantage of requiring administration of the

userids and passwords. A common compromise is to create a single userid and pass-

word for a set of pages and pass the pair on to anyone who needs access. This has the

disadvantage that you don’t know which of your users read the pages, but often you

don’t want to know.

1 2 ... 70 71 72 73 74 75 76 77 78 79 80 ... 95 96

Sin comentarios

Red Hat DIRECTORY SERVER 2.0 - GATEWAY Manual de usuario Pagina 75